Passwordless authentication & passkeys
FIDO2/WebAuthn passkeys, SSO and magic links: how to remove the reusable secret that fuels phishing and credential stuffing — with adaptive MFA and credentials protected by design.
Quick answer
Passwordless authentication lets a user sign in without typing a password: instead they use a device-bound cryptographic factor (a passkey based on FIDO2/WebAuthn), a one-time link or code (magic link, OTP) or an identity already verified by an enterprise provider (SSO). The goal is to remove the reusable secret that fuels phishing, credential stuffing and password reuse. LoginMaster reduces password risk on three fronts: it federates access with Microsoft Entra ID and Google Workspace, so users leverage the passwordless already enabled at their provider; it applies adaptive MFA to raise the bar only when the context is risky; and where a credential still exists it protects it with Argon2 hashing and a split-salt architecture in which not even the provider can reconstruct it.
The ways to go passwordless
Passkeys (FIDO2 / WebAuthn)
A device-bound cryptographic key pair: the private key never leaves the device and unlocks sign-in with biometrics or a PIN. It is phishing-resistant because the signature is bound to the legitimate domain.
SSO and federation
With Single Sign-On the user authenticates once at their identity provider (Entra ID, Google Workspace) and reaches every connected service. If the provider offers passwordless, the whole flow becomes passwordless.
Magic links and one-time codes
A single-use link or code, sent via email or app, replaces the password at sign-in time. Useful for onboarding and low-friction scenarios, it should always be combined with context checks.
Adaptive MFA as a safety net
Even in a passwordless flow you still need to assess risk: a new device, unusual geography, an odd time. LoginMaster's adaptive MFA requests an extra factor only when the context warrants it.
Methods compared
Phishing resistance, secret reuse and user friction, in one table.
| Method | Phishing resistance | Reusable secret | User friction |
|---|---|---|---|
| Password + MFA | Partial | At risk | Medium |
| Passkey (FIDO2) | Yes | No reusable secret | Low |
| Federated SSO | Depends on provider | Single identity | Very low |
| Magic link / OTP | Limited | One-time secret | Low |
Frequently asked questions
It is a sign-in method that does not require the user to enter a password. Instead it uses a device-bound cryptographic factor (a FIDO2/WebAuthn passkey), a one-time element (magic link, OTP) or an identity already verified by a provider through SSO. Removing the reusable secret neutralizes phishing, credential stuffing and password reuse.
A password is a shared secret the user types and the server must store (ideally as a hash). A passkey is a cryptographic key pair: the private key stays on the device and is never transmitted, while the server keeps only the public key. There is nothing to steal in a database and the signature is bound to the legitimate domain, so it is phishing-resistant.
LoginMaster enables passwordless flows primarily through SSO federation with Microsoft Entra ID and Google Workspace: if those providers have enabled passkeys or Windows Hello, users reach LoginMaster-based services without a password. In parallel, LoginMaster applies adaptive MFA and protects any residual credentials with Argon2 and split-salt. Native FIDO2/WebAuthn passkey support follows the platform's evolution.
Passkeys based on FIDO2/WebAuthn are phishing-resistant because the cryptographic signature is tied to the legitimate domain and cannot be replayed on a clone site. Other methods such as magic links or OTPs reduce the risk but do not eliminate it, because a code can still be intercepted in real time. That is why LoginMaster always pairs them with context evaluation and adaptive MFA.
Many scenarios remain hybrid: some users still use a password, others a secret-based second factor. Where a credential exists, LoginMaster hashes it with Argon2 and distributes it with a split-salt scheme across Tenant and Cloud, so that no single store — not even the provider — can reconstruct it. It is the defense in depth that accompanies the transition to passwordless.
Yes. Reducing or removing passwords lowers the attack surface and strengthens the access controls required by NIS2 and ISO 27001, while LoginMaster's Tenant-Cloud architecture keeps personal data on the customer's tenant in line with GDPR. Passwordless and data minimization pull in the same direction: fewer secrets to guard means less sensitive data exposed.
Cut your dependence on passwords
Federated SSO, adaptive MFA and credentials protected with Argon2 and split-salt: we support your transition to passwordless without rewriting your applications.